Merge "Sepolicy for OMX hal."

private/app.te

@@ -158,6 +158,11 @@ binder_call(appdomain, appdomain)
 # Perform binder IPC to ephemeral apps.
 binder_call(appdomain, ephemeral_app)
 
+# hidl access for mediacodec
+# TODO(b/34454312): only allow getting and talking to mediacodec service
+hwbinder_use(appdomain)
+hwallocator_use(appdomain)
+
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
 # Chrome works, may need to be updated as more apps using isolated services

private/system_server.te

@@ -179,6 +179,7 @@ binder_service(system_server)
 
 # Perform HwBinder IPC.
 hwbinder_use(system_server)
+hwallocator_use(system_server)
 binder_call(system_server, hal_bluetooth)
 binder_call(system_server, hal_boot)
 binder_call(system_server, hal_contexthub)

public/mediacodec.te

@@ -18,6 +18,11 @@ allow mediacodec video_device:dir search;
 allow mediacodec ion_device:chr_file rw_file_perms;
 allow mediacodec hal_graphics_allocator:fd use;
 
+# hidl access
+hwbinder_use(mediacodec)
+hwallocator_use(mediacodec)
+allow mediacodec system_file:dir { open read };
+
 ###
 ### neverallow rules
 ###

public/mediaserver.te

@@ -132,6 +132,10 @@ allow mediaserver hal_graphics_allocator:fd use;
 
 allow mediaserver system_server:fd use;
 
+# hidl access
+hwbinder_use(mediaserver)
+hwallocator_use(mediaserver)
+
 ###
 ### neverallow rules
 ###